SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIV - Issue #91

November 13, 2012

Time to stop asking for cybersecurity legislation:
Shifting government and industry from "admiring the problem of
cybersecurity" to taking necessary actions to protect their systems and
networks does not require legislation; the long quest for legislation
has been a massive distraction. It is high time for the U.S. to get on
with necessary actions as British and Australian leaders have done.
General Alexander at NSA and John Streufert and the managers at DHS are
leading the way by agreeing on how to secure systems and networks and
on how to measure their security. Let's help them. As a nation, let's
ask the people at OMB and NIST to stop undermining and delaying the NSA
and DHS solutions, and actively help them accelerate adoption.

- --SANS Security East 2013 New Orleans, LA January 16-23, 2013 11 courses. Bonus evening presentations include The Next Wave - Data Center Consolidation; Top Threats to Cloud for 2013; and Hacking Your Friends and Neighbors for Fun. Special Event: NetWars Tournament of Champions. http://www.sans.org/event/security-east-2013

- --North American SCADA and Process Control Summit 2013 Lake Buena Vista, FL February 6-13, 2013 The Summit brings together the program managers, control systems engineers, IT security professionals and critical infrastructure protection specialists from asset owning and operating organizations along with control systems and security vendors who have innovative solutions for improving security. The Security Summit is an action conference designed so that every attendee leaves with new tools and techniques they can put to work immediately when they return to their office. The Summit is the place to come and interact with top SCADA experts, key government personnel, researchers and asset owners at the multiple special networking events. 8 courses. Bonus evening presentation: The SANS SCADA Dinner Theater Players Present: From Exposure to Closure - Act III. http://www.sans.org/event/north-american-scada-2013

Plus San Antonio, Barcelona, Cairo, Anaheim, and New Delhi all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php ***************************************************************************

TOP OF THE NEWS

General Alexander Frustrated with Lack of Forward Momentum on US Cybersecurity (November 8, 2012)

NSA Director and US Cyber Command chief General Keith Alexander last week told members of government and the IT security industry attending Symantec's annual government symposium that the country is "stuck at the starting line" when it comes to cybersecurity. Alexander said the US has the capability to secure its networks, but that nothing will happen until Congress moves forward with cybersecurity legislation. He added that the country lacks understanding of how networks operate and how big a threat cyberattacks are to the critical infrastructure. "I'm concerned that attacks like [the one that targeted Saudi Aramco in August ] are coming, and we're spending a lot of time talking about what we should do when we should just do it." -http://www.federalnewsradio.com/473/3110944/On-cyber-defense-US-stuck-at-the-starting-line[Editor's Note (Pescatore): I think most of the people currently actively "just doing it" and keeping their companies safe as their companies make extensive and profitable use of the Internet would agree about "let's stop talking about legislation and just get back to just doing it." (Honan): If organisations are waiting for legislation to tell them what to do rather than secure their networks by following guidelines such as the SANS 20 Critical Controls or The Australian Defence Signals Directorate (DSD) Top 35 Mitigation Strategies then the General has a lot more to worry about. (Paller): The organizations that are making the transition (from admiring the problem to fixing it) are doing so by shifting from the compliance era benchmarks (NIST and ISO) to the action era benchmarks (CCA 20 Critical Controls - See UK plan at -http://www.cpni.gov.uk/advice/cyber/Critical-controls/) and the Australian Strategy - see the next story for details on Australia) ]

Kaspersky Finds 23 Percent of Browsers in Use Are Out-of-Date (November 9, 2012)

A study from Kaspersky has found that nearly a quarter of all browsers currently in use are not being kept up to date. Of the 23 percent of out-of-date browsers, 14.5 percent are using the previous version of the browser, while 8.5 are using even older versions. All major browsers have automatic update options. -http://www.computerworld.com/s/article/9233501/Out_of_date_vulnerable_browsers_put_users_at_risk?taxonomyId=17[Editor's Note (Pescatore): I'll bet most of the out-of-date ones are enterprise browsers where there are still too many apps that were written to specific browser versions, mostly IE. Another good line item in CIO evaluations: No browser specific apps!! (Honan): It would be interesting to see what percentage of the browsers were also running on outdated Operating Systems such as Windows XP or indeed Windows 2000. Many organisations are still on these platforms for economic reasons and are restricted as a result to the browsers they can deploy on those platforms. (Paller): John Pescatore's note points out the connection between application standards and cybersecurity effectiveness. As long as application developers and marketers (and the CIOs who buy from them) do not have to make apps conform to security benchmarks, there will be little security people can do to make their environments defensible. ]************************** SPONSORED LINKS ***************************** 1) Take the SANS Survey on the Security Practices of SCADA System Operators and register to win an iPad! http://www.sans.org/info/116597

THE REST OF THE WEEK'S NEWS

Singapore's Ministry of Home Affairs is seeking to amend the country's Computer Misuse Act to allow the government to have more authority to stop cyberattacks against critical infrastructure before they even start. The change would work like this. When the Ministry of Home Affairs receives credible intelligence regarding the possibility of a cyberattack, the Minister would have the authority to order that certain steps be taken to "strengthen the resilience of the CII against the cyberthreat." The current law allows the Minister to order action inly after an attack has been detected. The amendment would also broaden the scope of what are deemed "essential services" to include aviation, shipping, and health services. -http://www.zdnet.com/sg/singapore-amends-law-to-counter-cyberattacks-7000007248/[Editor's Note (Pescatore): This is a reactive strategy trying to be painted as proactive. Why not remove the known vulnerabilities ("strengthen the resilience") on an ongoing basis - better to fix the leaks in the roof *before* the weather forecast says rain, as there are many unannounced storms. (Assante): Credible intelligence often begins after a bang. What would be interesting is to learn if the Minster feels any of the ordered actions after an attack were useful in mitigating the consequences or preventing the next attack. ]

Security researchers have unearthed evidence that the malware infection found on Israeli police computers is likely party of a yearlong cyberespionage operation that targeted entities in Israel and Palestinian territories. Last month, Israeli police took down its computer network after discovering that it had been infected with a remote access Trojan (RAT) known as Xtreme RAT. The malware was delivered through an email that appeared to come from Israeli Defense Forces chief of general staff Benny Gantz. The malware was accompanied by a phony Microsoft certificate, which is what helped researchers at Norwegian company, Norman ASA, determine other attacks conducted by the same group because they used the same phony certificate. The bait documents used in the attacks contained metadata that revealed the names or aliases of some of those involved in their execution. The malware used dynamic DNS providers to change the IP addresses of the control networks. In the earlier attacks against Palestinian targets, most of the addresses were traced to a network in Gaza; when the attackers shifted their focus to Israel, the control servers shifted to the US. -http://krebsonsecurity.com/2012/11/malware-spy-network-targeted-israelis-palestinians/-http://www.computerworld.com/s/article/9233514/Researchers_identify_year_long_cyberespionage_effort_against_Israelis_Palestinians?taxonomyId=17

A 15-year-old hacker has been sentenced in juvenile court in California. The unnamed teen, who uses the online moniker Cosmo, pleaded guilty to a string of felonies in exchange for probation. The charges stem from credit card fraud, identity theft, bomb threats, and online impersonation. Cosmo was part of a hacker group involved in taking down sites and which was vocally opposed to SOPA. He also gained access to Amazon and PayPal accounts using social engineering techniques. The terms of Cosmo's probation, which will last until his 21st birthday, dictate that he will not be permitted to use the Internet without permission from his probation officer; that he is prohibited from contacting members of hacking groups with which he has been associated; and a number of others. He faces a number of additional restrictions; if he violates the terms of his probation, he will be sent to prison for three years. -http://www.wired.com/gadgetlab/2012/11/hacker-cosmo-the-god-sentenced-by-california-court/

Malware Steals Images (November 7, 2012)

Researchers have discovered malware designed to steal images from infected devices. The malware, which Sophos named PixSteal-A, targets Windows PCs and searches for JPEG and DMP files. It then connects to a remote server through FTP and uploads the images. The server collecting the images is hosted in Iraq, but the person controlling the operation could be anywhere in the world. One possible solution is to disable FTP connections at the firewall level. -http://www.v3.co.uk/v3-uk/news/2222922/researchers-warn-of-imagestealing-malware-http://blog.trendmicro.com/trendlabs-security-intelligence/malware-steals-image-files-from-systems/[Editor's Note (Murray): Before acting on this "warning;" one might like to know what the attack vector is and how pervasive the code. Without regard to this malware, the continued presence of FTP is an unnecessary risk. On the other hand, it ships with Windows by default; anyone can use it but one must have administrative privileges to erase or rename it. Hardly seems likely we will get rid of it. ]

A federal judge in Ohio will not hear a case about "experimental" software patches that were applied to certain evoting machines in Ohio just days prior to last week's presidential election. The suit alleged that the untested patches posed a threat to the integrity of the vote count. But Judge Gregory Frost, US District Court for the Southern District of Ohio, said that the plaintiff provided no evidence that the software was capable of altering election results and threw out the lawsuit. Judge Frost wrote that the plaintiff's "alleged harm is purely speculative." The lawsuit alleged that Ohio Secretary of State John Husted violated both state and federal laws by allowing the software patches to be applied to the Election Systems & Software (ES&S) vote tabulation machines. Husted's office said that the patches were designed to reformat the results that had been counted. Husted's office maintained that because the software is not considered part of the certified voting system, it was not subject to the testing and certification requirements. -http://www.computerworld.com/s/article/9233316/Judge_throws_out_Ohio_lawsuit_over_software_on_vote_tabulation_machines?taxonomyId=208-http://www.minnpost.com/christian-science-monitor/2012/11/ohio-voting-software-vulnerable-fraud-court-hear-election-day-case************************************************************************

The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was Vice President and Chief Security Officer for American Electric Power.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/